Sergey Nivens - Fotolia

Balabit bets big on Blindspotter

At first glance behavioural analytics may seem a strange direction for security company Balabit – but it makes sense on closer inspection

European security firm Balabit has just released its first new product since receiving $8m in investment from C5 Capital June 2014, betting heavily on behavioural analytics technology.

At first glance behavioural analytics may seem a strange direction for a company probably best known for its syslog-ng open-source log management tool and its commercial syslog-ng premium edition, but makes better sense in the light of Splunk’s acquisition of Caspida, which highlights the growing importance of this type of security technology.

The newest product to come from Balabit’s Hungary-based developers is called Blindspotter and is aimed at helping companies see what they have never been able to see before.

Balabit describes Blindspotter as a real-time user behaviour analytics monitoring tool, which its developers say is a natural progression from the company’s Shell Control Box privileged activity monitoring appliance.

Its release to market is well-timed, considering US security analytics firm Splunk’s acquisition of behavioural analytics firm Caspida will see combined products coming to market only after an integration period of at least several months.

While Blindspotter is a standalone product, it is also complementary to syslog-ng and Shell Control Box, and is built to work well with these data sources.

Detecting unusual behaviour

But Blindspotter is also a logical progression for the company in terms of its guiding contextual security intelligence (eCSI) concept, aimed at changing existing IT security methods that restrict users' access and activities by control-based security tools.

The eCSI concept seeks to avoid introducing additional security control tools, extra authentication layers and policies. Instead, it seeks to improve security capabilities using continuous monitoring, context and proven algorithms that focus on finding unusual activity in the behaviour of users to highlight anomalies that are worth investigating.

Historically, information security and business performance have been viewed as two different, and sometimes opposing, goals. But this is something Balabit is seeking to address through its eCSI concept by developing products that do not hinder – and can even support – business performance.

Read more about behavioural analytics

“Balabit’s goal is to develop security tools that satisfy business and find the right balance with security. We believe IT security should focus more on security and business than IT,” says Marton Illes, the company’s eCSI evangelist.

This philosophy has led to the focus on real-time monitoring, based on the realisation that not everything can or should be controlled.

“Monitoring gives people greater freedom in the way they work and has the potential for greater returns on investment; it helps manage the risk without hindering the workflow, and it can help educate users by encouraging them to be more security conscious,” says Illes.

Using a baseline of normal activity

Balabit believes this approach has the potential to boost staff morale, reduce cost and make it easier for IT security teams adapt to internal or external changes.

A monitoring approach also means that, if attackers are able to bypass other controls, there is a second layer of security that will enable the organisation to identify and respond to any malicious activity taking place on the network.

In Blindspotter, monitoring is in the form of behaviour analysis that draws on contextual information and has the capacity to identify malicious activity, regardless of what malware or other intrusion techniques attackers are using.

So how does the tool work?

Blindspotter is designed to collect and analyse the “digital footprints” of users across the corporate network and IT systems in real time as they go about their business.

Once the tool has built a baseline of the normal behaviour of any organisation’s users or groups of users such as sales and marketing, it is able to identify deviation from the established pattern, which includes things like log-in times and locations, IP addresses, preferred command abbreviations, typing speed and most-used services.

Blindspotter also continually updates and refines this baseline of “normal” activity, to take into account the gradual changes in business processes.

“If you know what normal looks like, you can recognise when something is abnormal and react immediately to prevent really bad things from happening,” says Peter Gyongyosi, Balabit’s product manager for Blindspotter.

Log data input

Advanced persistent threat (APT) attacks is a good use case for behavioural analytics, he says, because most APT attacks begin with the compromise of user credentials to enable attackers to penetrate systems by masquerading as legitimate users.

“If an organisation is able to detect when an account has been hijacked, then it is in a position to shut down an attack in the very early stages,” says Gyongyosi. In the same way, Blindspotter will enable organisations to identify users who have gone rogue, or have been coerced into co-operating with attackers because their patterns of behaviour will alter.

The logical progression of Balabit to behavioural analytics is further laid bare by the fact that one of the biggest sources of data for Blindspotter is the log data generated by many of the systems in a typical IT environment.

This input can be from individual systems, log management systems like syslog-ng, or security information and event management (SIEM) systems.

Other useful sources of data for Blindspotter include directory systems such as Active Directory and LDAP (lightweight directory access protocol), as well as custom data sources. While Blindspotter is designed to integrate with most standard data sources, manual integration will be required to work with custom data sources.

Balabit believes that, because the analysis is of the actual activities of users and groups of users, it is far more accurate and valuable than network-based analysis that looks at traffic volume or IP addresses. “When you are looking at a large number of user-specific activity data, it is far more difficult for attackers to fly under the radar,” says Gyongyosi.

Blindspotter outputs can be in the form of a dashboard display of detected changes, email alerts, and automated actions such as requiring additional authentication, asking a user to verify that they carried out a specific action or even disabling an account, depending on context.

Prioritising high-risk users

“This approach of anomaly detection is far more flexible and scalable than trying to identify known patterns of malicious behaviour, and helps organisations identify malicious activity – even when attackers are using custom malware or zero-day exploits,” explains Gyongyosi.

Context is important for prioritisation, he says, because different types of users have a different level of inherent risk. In other words, a chief executive or senior system administrator poses an inherently higher risk than a trainee, who has far fewer rights and can therefore cause much less damage.

This means Blindspotter will therefore give top priority to activities by high-risk users that show high levels of deviation from normal patterns of activity.

One of the beta testers of Blindpotter is an organisation that is required by regulation to review 20% of all sessions by users with privileged access. While Balabit’s Shell Control Box product is able to record these sessions, Blindspotter is able to identify which 20% should be reviewed for the greatest potential benefit, says Gyongyosi.

Balabit makes a compelling case for data science, and is building its future on this conviction but, according to Gyongyosi, behavioural analytics is currently only appropriate for larger organisations that handle highly sensitive data with a relatively high level of maturity in information security. Like the rest of Balabit’s portfolio, Blindspotter is designed for big business.

Below that level, he says organisations are typically still focusing on ensuring all their systems are patched, that their SIEM rules are set up, that their log management is in order, that their backup systems are in order and that their firewall rules are in place.

Gyongyosi believes it is only once all these things are in order that emerging technologies such as behavioural analytics come into play.

Security data analytics sectors

Companies in the financial sector are expected to be the biggest first adopters of user behaviour analytics for security purposes, followed by technology firms, communications suppliers and suppliers of critical national infrastructure.  

Balabit has come a long way in the past 15 years since it was set up around the then emerging firewall market by four university friends in Hungary, where its main development centres are still located.

Now headquartered in Luxembourg and with partners in more than 40 countries and sales offices in ten countries, including the UK, Balabit is betting on behaviour analytics to confirm its place as a leading European IT security innovator.


Read more on Hackers and cybercrime prevention